0

I'm running a vps with Nginx Proxy Manager on it, and i was in the process of securing my server. I want to be able to connect to the port 81 of the server when i'm connceted via VPN but block it for everyone else on the internet.

I've tried to block port 80 on eth0 with ufw but with no results, after digging i found the DOCKER-USER filters for iptables.

So i've used:

iptables -I DOCKER-USER -i eth0 -p tcp --dport 81 -j DROP

It doesn't work very well. I can access port 81 from the public ip address of the server, one thing i've noticed the web panel becomes way slower.

What do i have to do to block port 81 of the container from being accessible from the public ip of the server?

EDIT: here are the rules i've tried:

DOCKER-USER -i eth0 -o eth0 -p tcp -m tcp --dport 81 -j DROP

DOCKER-USER -i eth0 -p tcp -m conntrack --ctdir ORIGINAL -m tcp --dport 81 -j DROP

MagiiTech's suggestion in the answer below:

# Allowing traffic to and from tun0:
iptables -I DOCKER-USER 1 -i tun0 -j ACCEPT
iptables -I DOCKER-USER 2 -o tun0 -j ACCEPT
# Now we block 81/tcp
iptables -I DOCKER-USER 3 ! -i lo -p tcp --dport 81 -j DROP

(this works but i cannot login to the webpanel via the vpn connection)

Emmanuele D'Ettorre
  • 1
  • 1

1 Answers1

0

Your config looks good, are you sure your external network interface is called eth0 (usually called something like enp1s0)? Also if you access your server using IPv6, you must set your rules separately using ip6tables.

This is the approach I would take when you only have a single server, only allowing traffic from the lo interface:

iptables -I DOCKER-USER 1 ! -i lo -p tcp --dport 81 -j DROP

EDIT:

# Allowing traffic to and from tun0:
iptables -I DOCKER-USER 1 -i tun0 -j ACCEPT
iptables -I DOCKER-USER 2 -o tun0 -j ACCEPT
# Now we block 81/tcp
iptables -I DOCKER-USER 3 ! -i lo -p tcp --dport 81 -j DROP
MagiiTech
  • 93
  • 1
  • 7
  • looking with the ifconfig command under the eth0 interface i see `inet my.public.ip.address`. I don't want to disable everything except the loopback because to access the web panel i'm connecting to the server with a vpn, i think doing that would disable the access to port 81 also from the tun0 interface of the vpn – Emmanuele D'Ettorre May 18 '21 at 12:23
  • In that case allow any forwarded connections from the tun0 interface before blocking access: `iptables -I DOCKER-USER 1 -i tun 0 -j ACCEPT`. This allows the tun interface to access any port. – MagiiTech May 18 '21 at 13:02
  • ok, now my iptables looks like this: ``` -A DOCKER-USER -i tun0 -j ACCEPT -A DOCKER-USER ! -i lo -p tcp -m tcp --dport 81 -j DROP -A DOCKER-USER -j RETURN ``` But still i can't access the port 81 via vpn connection, i've double checked and indeed the tun0 is the openvpn interface. Am i missing something? should i change the order of the rules? – Emmanuele D'Ettorre May 18 '21 at 13:14
  • The order of the rules is correct, I suppose the problem is that traffic needs to be forwarded through tun0. I've updated my post. – MagiiTech May 18 '21 at 13:22
  • unfortunally it still doesn't work after updating the iptables with your edited answer, i've tried also to replace your first 2 rules with `DOCKER-USER -s 10.8.0.0/24 -i tun0 -o tun0 -j ACCEPT` and still i can't access port 81. That ip range is the one of the vpn network – Emmanuele D'Ettorre May 18 '21 at 13:45